After The Hack, Should I Still Trust Google & The Cloud With My Data?

Over the past year, I’ve moved more and more of my data over to the cloud — in particular, to being stored with Google. I’m rethinking that, in the wake of Google’s statement that it was the target of a sophisticated hacking attack. Further, I’m wondering if this entire episode — GoogleHack, for want of a better name — will develop into a major reversal for the growth of cloud computing.

Living In The Cloud

For those not up on the term, “cloud computing” is a reference to the idea that your programs and data live on the internet rather than on your computer. Need to write a letter? You don’t install Microsoft Word, then compose the letter and save it to your computer’s hard drive. You open your browser, go to Google Docs, create the letter there and save it to be stored with Google.

The internet is the “cloud,” and by letting everything live within it, you’re promised great benefits. That file you need? As long as you can get online, it’s available to you. You can get it from your laptop, a friend’s computer or from your cell phone. It’s even backed up for you. And painful software installations? Forget about it! When’s the last time Gmail said it needed to download a security update to your computer and then prompted you to restart after it was finished?

Cloud Computing, Google & Being A Big Target

Enticing. Seductive. What’s not to love? And Google has built a huge part of its business around the idea that we should trust both the cloud computing concept and Google itself. Just this week, the company announced 1GB of storage for any type of files. The hacking attacks call that all into question more than anything I can think of before.

What do we know so far? Google only tells us that there was a “highly sophisticated and targeted attack” on its “corporate infrastructure” that resulted in the theft of “intellectual property.” What’s that mean, exactly?

Well, one report now out from IDG is that Google apparently maintains a system to monitor or collect data about users in case it is served with a search warrant — and that the hackers got into that system. An anonymous source is quoted saying:

Right before Christmas, it was, ‘Holy s***, this malware is accessing the internal intercept [systems]

Hmm. I’ve often joked with people that there’s a secret room deep under the Googleplex that houses two people who do nothing but watch everything that goes on through Google’s servers. Sworn to secrecy, their job is to defend the data, no matter what. And if one of them should go crazy, why the other one is there armed and willing to take action, kind of like those in nuclear weapons silos. You remember the movie War Games, right?

Well, I guess it’s not so much a joke. While on the one hand, I can see why Google would want to create such a system, it’s also blindingly obvious what a potential target it would be for hackers. Moreover, it simply highlights what a target Google itself is.

Most criticism over the years about Google and data that it collects or stores has focused on the idea that Google itself would be the bad actor. Google would go evil and spy on everything you do. In reality, it may be external parties that we should be most worried about.

Google: The New Windows, With All The Viruses?

Consider the “old” computer model. Windows is the most popular operating system out there. Despite Microsoft running it, there have been no major examples I can think of where Microsoft has been found to have collected data through that operating system that has later leaked out. However, Windows is also the operating system that to my knowledge is most prone to virus and malware attacks. Because so many people use it, Windows itself sits on individual computers as a big target begging to be attacked by external parties.

Google is the new operating system for many people. Indeed, the coming Google OS will literally make Google into an operating system, where you’ll access Google services (as well as the rest of the web) through a Google browser. Google is our computer, where we get our email, store our documents, leave our spreadsheets and much more. All that data, just sitting over there. A big huge target, begging to be attacked.

This Was A Cloud Computing Attack

Google has and will continue to assure us that everything is safe. Indeed, on the same day it made the announcement about the hacking attempts, it had a separate blog post specifically assuring us that cloud computing remained secure:

This was not an assault on cloud computing. It was an attack on the technology infrastructure of major corporations in sectors as diverse as finance, technology, media, and chemical. The route the attackers used was malicious software used to infect personal computers. Any computer connected to the Internet can fall victim to such attacks. While some intellectual property on our corporate network was compromised, we believe our customer cloud-based data remains secure.

While any company can be subject to such an attack, those who use our cloud services benefit from our data security capabilities. At Google, we invest massive amounts of time and money in security. Nothing is more important to us. Our response to this attack shows that we are dedicated to protecting the businesses and users who have entrusted us with their sensitive email and document information. We are telling you this because we are committed to transparency, accountability, and maintaining your trust.

I bolded the key part which frankly is wrong. It was very much was an attack on cloud computing, as Google’s main blog post made clear. Hackers went after Gmail accounts, not just through malware-infected computers but directly by targeting Google, that post told us. Gmail — your email, stored in the cloud. That’s an attack on cloud computing.

Remember, before Gmail came, you didn’t leave your email sitting in the cloud for very long. It cost you money to do so. You downloaded it to your own computer and deleted it from the cloud. Gmail ended all that, assuring people they need never delete anything again.

What Exactly Got Taken?

So spare me the suggestion this wasn’t an attack on cloud computing. Reassure me another way, such as telling me in the main post that only “limited” data got out about two Gmail accounts “such as” the subject line of emails in those accounts.

No worries then, because you know that subject lines never have any revealing info in them. Or that in Gmail, subject lines often include a little bit of the opening part of the email itself. And next to the subject line, the sender is listed. Was that information seen?

Remember me putting “such as” in quotes? That’s because Google only specifically described two types of the “limited” data that was seen. What else might have been viewed remains completely open to speculation.

Still, let’s say we completely trust that this time, Google fended off the nasties. What about next time? Because there’s sure to be a next time. Will it be successful then?

The Human Weakness

Also note that Google’s apparently investigating if there were insiders involved — people within Google assisting with this. Even if that’s not true this time, again, what about next time? Google employs thousands of people. Unlike early Googlers, the new folks are not getting incredibly wealthy. Can they be bribed? Might some look around out of curiosity? Goodness, do we now have to worry that government agents from any country (including those from the US) might go undercover to gain access? Hand me my tinfoil hat! Except it’s not sounding so crazy, anymore.

Meanwhile, the specter of human mistakes still linger. Last week, Google emailed an undisclosed number of people information about businesses that they had no connection with. How’d that happen? Human error. Woah — what type of human error? Exactly how did that screw up happen? Sorry, Google’s not talking more in public about that.

We Got The Censorship Angle, Now Back To Data Security

It’s time for the stories to start shifting. Google gets hacked, so it reacts by deciding to no longer censor. As a result, the coverage so far has been largely about how that change will impact Google’s business prospects in China.

The focus really should get back on the issue of Google being hacked. I’m as glad as many people are that Google’s going to stop censoring. I also don’t think Google purposely made the anti-censorship move and announcement to distract from the issues that being hacked raises. But that indeed needs much more attention.

And what to do. Pull all your data down? That’s a personal decision. I love having my email easy to search by being in the cloud. But I’m not sure I want to start uploading my financial documents. I’m less certain that I want to have company documents sitting out there. I’m kind of thinking in the era of cheap hard drives, I might just do more carrying around my own little cloud with me. Encrypted, of course!

Ironically, such a shift could also make data less safe. Will we get back to the days when people routinely emailed files back and forth through unsecured email connections? There’s also a need for perspective. You’re probably far more at risk of having your data exposed by using a weak password than through government-backed hacking attempts.

Still, the cloud lost some trust this week. I think more trust will be lost as further details emerge — and that’s not just for Google but for any company offering cloud computing. How that trust will be rebuilt, for Google, depends on how forthcoming the company is about what happened, what got out and why we should really feel secure against future attempts.

Related Topics: Channel: Industry | Features: Analysis | Google: Business Issues | Google: Docs & Spreadsheets | Top News


About The Author: is a Founding Editor of Search Engine Land. He’s a widely cited authority on search engines and search marketing issues who has covered the space since 1996. Danny also serves as Chief Content Officer for Third Door Media, which publishes Search Engine Land and produces the SMX: Search Marketing Expo conference series. He has a personal blog called Daggle (and keeps his disclosures page there). He can be found on Facebook, Google + and microblogs on Twitter as @dannysullivan.

Connect with the author via: Email | Twitter | Google+ | LinkedIn


Get all the top search stories emailed daily!  


Other ways to share:

Read before commenting! We welcome constructive comments and allow any that meet our common sense criteria. This means being respectful and polite to others. It means providing helpful information that contributes to a story or discussion. It means leaving links only that substantially add further to a discussion. Comments using foul language, being disrespectful to others or otherwise violating what we believe are common sense standards of discussion will be deleted. Comments may also be removed if they are posted from anonymous accounts. You can read more about our comments policy here.
  • Jonathan Hochman

    Thank you for commencing a discussion of this issue.

    Data security breaches frequently resulted in the complete destruction of businesses. Usually the bad guys attack ecommerce systems and go after credit card numbers. Where computers are involved, there will be bugs, and security failures. Google is no more a risk (and probably less of a risk) than keeping data on your own computer. In any case, your ISP is logging your activities and if their systems are compromised, you’re borked all the same.

    Google pulling out of China is about more than just their disdain for censorship. (That seems to be a pretense.) It seems that something very essential has changed. To me it looks like a state actor, such as China, may have attacked several high profile tech companies in order to gather data about political dissidents. For instance, they might be after the IP addresses of certain gmail or email accounts.

    At Wikipedia we have extraordinary measures to protect user privacy, including wiping out logs after a relatively short amount of time. Google and others have a legitimate need to store IP data. Often this data is essential to stopping abuse or crime. However, there is great danger if such data falls into the hands of a repressive government, or perhaps, any government.

  • bluesnapper

    Security of the cloud and Google in particular has concerned me for some time.

    While I love the idea of a netbook/Chrome OS to take away my IT worries and make me super productive (?) I woudn’t sleep well knowing I had sensitive information ‘out there somewhere’. I like the warm feeling I get from jumping through multiple security hoops to see my bank details – so would a hacker (the hoops, not the warm feeling…)

    At the moment I’m staring at my Google Account screen knowing that it just needs my username (googlemail email address that gets everywhere) and a password to access my client’s Google Analytics, Adwords, webmaster tools, Gmail, GDocs etc

    For now, I’ll keep my personal data under my pillow.

  • Stupidscript

    “Gmail — your email, stored in the cloud. That’s an attack on cloud computing.”

    Google’s computers are powered by electricity. This was an attack on electricity.

    I hope that little bit of sarcasm highlights the fact that security of any type is only as strong as its weakest link. Sure, Gmail exists in the cloud, but it is incorrect to say that this was an attack on the entire concept of “cloud computing”. This was an attack that targeted resources that existed in the cloud. Unless, of course, you are willing to describe a bank robbery as an attack on the concept of “banking”.

    According to available information, this was a series of successful phishing (social engineering) attacks that resulted in a limited breach of some of Google’s resources, still restricted to userland, and those of several other companies, so you are correct in your expansion of the question of who to trust.

    It really is the people that are the weak links. And that is the bit that is most worrisome about cloud computing and this event: When YOUR data can be compromised because someone ELSE was a fool, THAT is cause for a re-evaluation of your use of any shared resource.

  • devnull

    “Google apparently maintains a system to monitor or collect data about users in case it is served with a search warrant”.

    This doesn’t surprise me. It’s been a feature on the email servers that I admin for several years.

    All I have to do is fill in the email address of the account to be monitored, the email address of the government agency that wants to spy on you, and they are notified every time you log in, access a folder, or delete a file, and get copies of everything you send or receive.

    As far as my data is concerned if it’s confidential, I encrypt it – regardless of whether it’s in the cloud or on my hard drive.

Get Our News, Everywhere!

Daily Email:

Follow Search Engine Land on Twitter @sengineland Like Search Engine Land on Facebook Follow Search Engine Land on Google+ Get the Search Engine Land Feed Connect with Search Engine Land on LinkedIn Check out our Tumblr! See us on Pinterest


Click to watch SMX conference video

Join us at one of our SMX or MarTech events:

United States


Australia & China

Learn more about: SMX | MarTech

Free Daily Search News Recap!

SearchCap is a once-per-day newsletter update - sign up below and get the news delivered to you!



Search Engine Land Periodic Table of SEO Success Factors

Get Your Copy
Read The Full SEO Guide